Configuring the IDSM2

Note All IPS platforms allow ten concurrent log in sessions.

Note Catalyst 6500 Series Switch is used generically to refer to both the 6500 series switches and the 7600 series routers.

This chapter contains procedures that are specific to configuring the IDSM2. Once you set up the IDSM2 to receive traffic from the network, you can configure it for intrusion prevention. It contains the following sections:

Note It is normal for the status to read other when the IDSM2 is first installed. After the IDSM2 completes the diagnostics routines and comes online, the status reads ok. Allow up to 5 minutes for the IDSM2 to come online.

Configuring the Catalyst 6500 Series Switch for Command and Control Access to the IDSM2

You must configure the Catalyst 6500 series switch to have command and control access to the IDSM2. This section describes how to configure the switch to have command and control access, and contains the following topics:

This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

***LICENSE NOTICE***

There is no license key installed on the system.

Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

idsm-2# ping 10.89.149.126

PING 10.89.149.126 (10.89.149.126): 56 data bytes

64 bytes from 10.89.149.126: icmp_seq=0 ttl=255 time=0.3 ms

64 bytes from 10.89.149.126: icmp_seq=1 ttl=255 time=0.3 ms

64 bytes from 10.89.149.126: icmp_seq=2 ttl=255 time=0.3 ms

64 bytes from 10.89.149.126: icmp_seq=3 ttl=255 time=0.3 ms

--- 10.89.149.126 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max = 0.3/0.3/0.3 ms

idsm-2# exit

console> (enable)

Step 5 Initialize the IDSM2.

Step 6 Ping the default router of the IDSM2.

Step 7 Verify the management station can ping, SSH or Telnet, and web browse to the IDSM2.

Step 4 Verify that you have connectivity by sessioning in to the IDSM2 and pinging a network IP address.

router# session slotmodule_numberprocessor 1

idsm-2# pingnetwork_ip_address

Example

router# session slot 11 processor 1

The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session

Trying 127.0.0.91 ... Open

login: cisco

Password:

***NOTICE***

This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

The IDSM2 Sensing Modes

•Promiscuous mode—When the IDSM2 was introduced, promiscuous mode was the only sensing mode supported on the IDSM2 and it is the default sensing mode for both data ports.

In promiscuous mode, the IDSM2 passively monitors network traffic copied to its data ports by the Catalyst switch. The data ports operate as 802.1q trunks and you can configure the two data ports to trunk the same or different VLANs. The Catalyst switch uses either SPAN or VACL capture to copy specific traffic to the data ports. You can send the same or different traffic to the two data ports. Because the IDSM2 is passive in this mode, it cannot drop packets to block a network intrusion attempt, but you can configure it to send TCP resets to both sides of the network connection to try to break the connection.

Note Because the Catalyst switch does not forward traffic received from a capture destination port, the IDSM2 cannot send TCP resets over the data ports to try to block an intrusion. Therefore, a separate reset port available only in promiscuous mode is reserved for this purpose.

•Inline mode—Beginning with IPS 5.0(1), you can configure the IDSM2 to be an active network device in inline interface pair mode. The two data ports operate together to bridge two VLANs through the IDSM2. You configure each data port as an access port and assign a different VLAN to each data port. The IDSM2 bridges the two VLANs by forwarding traffic between the two data ports. It inspects the traffic it receives on each data port and can either forward the packets to the other data port or drop the packet if it detects intrusion. You must configure the switch for inline mode, and then create the inline interface pairs on the IDSM2.

•Inline VLAN pair mode—Beginning with IPS 5.1(1), you can configure the IDSM2 in inline VLAN pair mode. The IDSM2 performs VLAN bridging between pairs of VLANs within the same data port operating as an 802.1q trunk. The IDSM2 inspects the traffic it receives on each VLAN in a VLAN pair and can either forward the packets on the other VLAN in the pair (on the same data port on which the packet was received) or drop the packet if an intrusion is detected. You can configure the IDSM2 to simultaneously bridge up to 255 VLAN pairs on each data port. The IDSM2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair.

Note You are responsible for coordinating the IPS and switch configuration to make sure each of the VLANS associated with an inline VLAN pair is also an allowed VLAN for the data port trunk.

You can mix sensing modes on the IDSM2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because the IDSM2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes.

Understanding the Switch, the IDSM2, and Promiscuous Mode

Traffic is captured for promiscuous analysis on the IDSM2 through SPAN or VACL capture (if you are running the Cisco IOS Firewall on the MSFC, you cannot use VACLs, but you can use the mls ip ids command). Port 1 (GigabitEthernet0/1) is used as the TCP reset port, port 2 (GigabitEthernet0/2) is the command and control port, and ports 7 and 8 (GigabitEthernet0/7 and GigabitEthernet0/8) are the monitoring ports. You can configure both monitoring ports to be either SPAN destination ports or VACL capture ports.

Caution If you configure both ports as monitoring ports, make sure that they are configured to monitor different traffic.
Caution You should not configure an IDSM2 data port as both a SPAN destination port and a VACL capture port, because the IDSM2 will not receive traffic. This dual configuration (SPAN and VACL) causes problems on the switch and traffic is not sent properly.

Note Before Catalyst Software 8.4(3), the IDSM2 data ports defaulted to trunking all VLANs. In Catalyst Software 8.4(3) and later, the IDSM2 data ports default to trunking no VLANs. Make sure that the IDSM2 ports are trunking the proper VLANs, especially if you are upgrading from pre-8.4(3) to 8.4(3) or later.

Using the TCP Reset Interface

The IDSM2 has a TCP reset interface—port 1. The IDSM2 has a specific TCP reset interface because it cannot send TCP resets on its sensing ports.

If you have reset problems with the IDSM2, and the switch is running Catalyst software, try the following:

•If the sensing ports are access ports (a single VLAN), you need to configure the reset port to be in the same VLAN.

•If the sensing ports are dot1q trunk ports (multi-VLAN), the sensing ports and reset port all must have the same native VLAN, and the reset port must trunk all the VLANs being trunked by both the sensing ports.

Note In Cisco IOS when the IDSM2 is in promiscuous mode, the IDSM2 ports are always dot1q trunk ports (even when monitoring only 1 VLAN), and the TCP reset port is automatically set to a trunk port and is not configurable.

Configuring SPAN

The IDSM2 can analyze Ethernet VLAN traffic from Ethernet or Fast Ethernet SPAN source ports, or you can specify an Ethernet VLAN as the SPAN source. This section describes how to configure SPAN, and contains the following topics:

Configuring VACL Capture

You can set VACLs to capture traffic for IPS from a single VLAN or from multiple VLANs or from FLexWAN2 ports on the 7600 router when using Cisco IOS software. This section describes how to configure VACL capture, and contains the following topics:

Catalyst Software

Note Port 1 is set as the TCP reset port. Ports 7 and 8 are the sensing ports and can be configured as security ACL capture ports. By default, in Catalyst Software 8.4(1) and earlier releases, ports 7 and 8 are configured as trunk ports and trunk all VLANs on which a security ACL has been applied with the capture feature. To monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor so that they are not trunked to ports 7 and 8.

Use the set security acl command to configure security ACL capture ports.

The following options apply:

•ACL—Sets security ACL features

–capture-port—Sets ports for ACL capture

–cram—Sets security ACL cram

–ip —Sets IP security ACL features

–ipx—Sets IPX security ACL features

–mac—Sets MAC security ACL features

–map— Sets security ACL to VLAN mapping

•permit—Specifies packets to forward

•deny—Specifies packets to reject

•redirect—Specifies packets to redirect to ports

•before—Inserts ACE before a specified ace in editbuffer

•capture—Makes a copy of this flow in capture ports

•modify— Modifies a specified ACE in editbuffer

To configure VACLs to capture IPS traffic on VLANs, follow these steps:

Step 1 Log in to the console.

Step 2 Enter privileged mode.

console> enable

Step 3 Create the VACL to capture traffic. Specify what traffic is permitted, denied, and captured.

Note When the switch is routing traffic, you should configure the IDSM2 to monitor all VLANs being routed. If you apply the VACL to a FlexWan2 port, you need to configure the IDSM2 to monitor all VLANs.

Configuring the mls ip ids Command

Catalyst Software

When you are running the Cisco IOS Firewall on the MSFC, you cannot use VACLs to capture traffic for the IDSM2, because you cannot apply VACLs to a VLAN in which you have applied an IP inspect rule for the Cisco IOS Firewall. However, you can use the mls ip ids command to designate which packets are captured. Packets that are permitted by the ACL are captured. Those denied by the ACL are not captured. The permit/deny parameter does not affect whether a packet is forwarded to destination ports. Packets coming into that router interface are checked against the IPS ACL to determine if they should be captured. The mls ip ids command is applied as part of the MSFC configuration instead of the supervisor configuration. The mls ip ids command only captures incoming traffic. Use the mls ip ids command on both the client-side router interface and server-side router interface, so that both directions of the connection are captured.

To use the mls ip ids command to capture IPS traffic, follow these steps:

Step 1 Log in to the MSFC.

Step 2 Enter privileged mode.

console> enable

Step 3 Enter configuration mode.

Router# configure terminal

Step 4 Configure an ACL to designate which packets will be captured.

Router(config)# ip access-list extended word

Step 5 Select the interface that carries the packets to be captured.

Router(config)# interface interface_name

Step 6 Apply the ACL created in Step 4 to the interface selected in Step 5.

Router(config-if)# mls ip ids word

Step 7 Log in to the supervisor engine.

Step 8 Enter privileged mode.

console> enable

Step 9 On the supervisor engine, add the IDSM2 monitoring port (port 7 or 8) to the VACL capture list.

console> (enable) set security acl capture module_number/port_number

Caution For the IDSM2 to capture all packets marked by the
mls ip ids command, port 7 or 8 of the IDSM2 must be a member of all VLANs to which those packets are routed.

Cisco IOS Software

When you are using ports as router interfaces rather than switch ports, there is no VLAN on which to apply a VACL.

You can use the mls ip ids command to designate which packets are captured. Packets that are permitted by the ACL are captured. Those denied by the ACL are not captured. The permit/deny parameter does not affect whether a packet is forwarded to destination ports. Packets coming into that router interface are checked against the IPS ACL to determine if they should be captured.

To use the mls ip ids command to capture IDS traffic, follow these steps:

Understanding the Switch, the IDSM2, and Inline Mode

You can use IDM or the CLI to configure the IDSM2 to operate in inline mode between two separate VLANs (one VLAN for each side of the IDSM2). To prepare the IDSM2 for inline mode, you must configure the switch as well as the IDSM2. Configure the switch first, then configure the IDSM2 interfaces for inline mode.

Catalyst Software

You configure the IDSM2 monitoring ports as trunk ports for inline operation for Catalyst software 8.4(1) or later with Supervisor Engine 1a, Supervisor Engine 2, Supervisor Engine 32, or Supervisor Engine 720. Because the native VLAN is the same as the sole VLAN being trunked, the traffic is not 802.1q encapsulated.

Caution Before Catalyst software 8.4.(3), the default configuration for the IDSM2 ports 7 and 8 is to trunk all VLANs 1 to 4094. If you clear the IDSM2 configuration (
clear configurationmodule_number), the IDSM2 trunks all VLANs. If the IDSM2 interfaces are configured for inline, spanning tree loops will likely be created and a storm will occur. A storm is numerous packets looping and never reaching their destination.

To configure the monitoring ports on the IDSM2 for inline operation, follow these steps:

Understanding the Switch, the IDSM2, and Inline VLAN Pair Mode

You can use IDM or the CLI to configure the IDSM2 to operate in inline VLAN pair mode. To prepare the IDSM2 for inline VLAN pair mode, you must configure the switch as well as the IDSM2. Configure the switch first, then configure the IDSM2 interfaces for inline VLAN pair mode.

To configure the monitoring ports on the IDSM2 for inline VLAN pair mode, follow these steps:

Step 1 Log in to the console.

Step 2 Enter privileged mode.

console> enable

Step 3 Clear all VLANs from the IDSM2 monitoring port.

console (enable)> clear trunkslot_number/port_number 1-4094

Example

console (enable)> clear trunk 9/7 1-4094

Note Before Catalyst software 8.4.(3), the value for the VLAN range when clearing VLANs from the IDSM2 monitoring port was 1-1005, 1024-4094. In later versions you can clear the entire VLAN range, 1-4094.

Step 4 Configure the IDSM2 monitoring port to trunk the VLANs to be paired.

console (enable)> set trunkslot_number/port_number vlans_to_be_paired

Example

console (enable)> set trunk 9/7 651,652

Step 5 Set the native VLAN for the IDSM2 monitoring port to a value other than the paired VLANs used in Step 4.

console (enable)> set vlanvlan-number slot_number/port_number

Example:

console (enable)> set vlan 1 9/7

The default native VLAN is VLAN 1.

Step 6 Repeat Step 4 for other VLANs to be paired on the IDSM2 monitoring port.

Step 7 To configure the other monitoring port, repeat Steps 3 through 6.

Understanding EtherChannel Load Balancing

Supervisor Engines in the Catalyst 6500 series chassis recognize IDSM2 devices that are running IPS 5.x and greater as EtherChannel devices. This lets you install up to eight IDSM2 devices in the same chassis.

The IDSM2 in the Catalyst 6500 series switch has eight internal ports. Only four of these ports are used. Port 1 is a TCP/IP reset port. Port 2 is the command and control port. Ports 7 and 8 are the sensing ports for Catalyst software and data ports 1 and 2 for Cisco IOS software. The other ports are not used.

The backplane is 1000 Mbps, which is why the IDSM2 shows 1000 Mbps even though it can only handle about 600 Mbps of performance. ECLB allows up to eight IDSM2 devices to participate in the load balancing on either port 7 or port 8.

EtherChannel and the Three Sensing Modes

EtherChannel provides load balancing and failover between multiple IDSM2s in all three sensing modes. The IDSM2 does not participate in EtherChannel protocols, such as LACP or PAgP. Cisco IOS only allows load balancing using src-dst-ip algorithm so that all packets between a given pair of IP addresses are always mapped to the same channel. Catalyst software uses the ip both algorithm. This is necessary so the IDSM2 can correctly track the connections between two hosts.

Caution You cannot mix IDSM2 data ports with other port types in an EtherChannel group. You must configure all data ports in an EtherChannel group identically.

EtherChannel and the IDSM2 operate in the following way in the three sensing modes:

•EtherChannel and promiscuous mode—When the IDSM2 operates in promiscuous mode, the two data ports operate independently of each other. If you configure the switch so that a data port has two or more IDSM2s in a group, the switch distributes traffic between the IDSM2s. This balances the traffic between multiple IDSM2s. You should rebalance the channel when a data port goes to the errDisabled state, or the IDSM2 is shut down, powered down, or reset.

•EtherChannel and inline mode—When you configure multiple IDSM2s for inline mode, you can load balance the traffic between the IDSM2s by putting data port 1 of each IDSM2 into one channel group and data port 2 of each IDSM2 into another channel group.

Caution To make sure that the same traffic is assigned to the two data ports on each IDSM2, you must assign the same EtherChannel index to both data ports on each of the IDSM2s even though they are in different EtherChannel groups.

•EtherChannel and inline VLAN pair mode—When the IDSM2 is in inline on-a-stick mode, the two data ports operate independently of each other. The same restrictions apply as for promiscuous mode.

Enabling ECLB

This section describes how to enable ECLB for Cisco IOS and Catalyst software. It contains the following sections:

Restoring Defaults

Use the intrusion-detection modulemodule_numberdata-port {1 | 2} default command to restore the defaults to the specified data port. This command restores the following defaults: allowed VLANs, autostate, portfast, cost, and priority settings. If the data port belongs to a port channel, this command has no effect. This command is useful for clearing the data port before you add it to a port channel group.

An EtherChannel balances the traffic load across the links in an EtherChannel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.

EtherChannel load balancing can use MAC addresses, IP addresses, or Layer 4 port numbers, which can be source or destination or both source and destination addresses or ports. The selected mode applies to all EtherChannels configured on the switch. ECLB can also use MPLS Layer 2 information.

Use the option that provides the balance criteria with the greatest variety in your configuration. For example, if the traffic on an EtherChannel is going only to a single MAC address and you use the destination MAC address as the basis of ECLB, the EtherChannel always chooses the same link in the EtherChannel; using source addresses or IP addresses might result in better load balancing.

To configure ECLB for promiscuous operation on the IDSM2, follow these steps:

Step 1 Configure each IDSM2 for promiscuous operation.

Note Make sure that all IDSM2 VACL capture or SPAN or monitor configuration lines have been removed before configuring ECLB for the IDSM2.

ECLB in Inline Mode

Note Make sure that all IDSM2 VACL capture or SPAN or monitor configuration lines have been removed before configuring ECLB for the IDSM2. You receive an error if you try to change the channel group to inline mode if you have capture enabled on any of the ports.

Each EtherChannel has a numbered port channel interface. You can configure a maximum of 64 port channel interfaces, numbered from 1 to 256. If the channel group and port channel have not been created, this command creates it with an empty allowed VLAN list. If the port channel exists, its allowed VLAN list, port fast, autostate, spanning tree cost, and priority settings are assigned to the data port.

Note You receive an error if you try to add a data port to a channel group that contains other port types or if you try to add another port type to a port channel containing one or more data ports.

Step 4 For each IDSM2, add all data port 2s into a different EtherChannel.

Note You receive an error message if the port channel does not exist or if the port channel is already configured for trunk or capture mode. You must create the port channel or remove the port channel from trunk or capture mode.

Step 6 Set the sensing mode to access (inline) and set the access VLAN for the channel group that contains the data port 2s.

ECLB in Inline VLAN Pair Mode

Note Make sure that all IDSM2 VACL capture or SPAN or monitor configuration lines have been removed before configuring ECLB for the IDSM2. You receive an error if you try to change the channel group to inline VLAN pair mode if you have capture enabled on any of the ports.

To configure ECLB for inline VLAN pair mode on the IDSM2, follow these steps:

Step 1 Log in to the console.

Step 2 Enter global configuration mode:.

router# configure terminal

Step 3 Add the data port (either data port 1 or data port 2) from each IDSM2 to the Etherchannel.

Each EtherChannel has a numbered port channel interface. You can configure a maximum of 64 port channel interfaces, numbered from 1 to 256. If the channel group and port channel have not been created, this command creates it with an empty allowed VLAN list. If the port channel exists, its allowed VLAN list, port fast, autostate, spanning tree cost, and priority settings are assigned to the data port.

Note You receive an error if you try to add a data port to a channel group that contains other port types or if you try to add another port type to a port channel containing one or more data ports.

Step 4 Set the sensing mode to trunk (inline VLAN pair) and set the allowed VLANs for the channel group that contains the data port 1s. Determine which VLANs are going to be paired (100 and 200, 101 and 201) and set the allowed VLAN list to include all VLANs in all the pairs.

Note The allowed VLAN list on the switch must include all VLANs that are paired as inline VLAN pairs on the IDSM2. Otherwise, traffic may be dropped.

Note You receive an error message if the port channel does not exist or if the port channel is already configured for trunk or capture mode. You must create the port channel or remove the port channel from trunk or capture mode.

Step 5 Configure ECLB.

router(config)# port-channel load-balancesrc-dst-ip

The default is src-dst-ip, which means EtherChannel uses the combination of source and destination IP addresses for its distribution method.

Example

router(config)# port-channel load-balance src-dst-ip

Step 6 Verify ECLB.

router# show etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

MPLS: Label or IP

Step 7 For access (inline) mode, set autostate to include the channel group.

Note In this output, an EtherChannel with ID 1669 is created to have two IDSM2 data ports. Port 1/7 is for port 7 on the IDSM2 in slot 1 while port 7/7 is for port 7 on the IDSM2 in slot 7. Both IDSM2s are configured for promiscuous operation. The switch load balances between each of the two IDSM2 ports (one port on each IDSM2).

Administrative Tasks for the IDSM2

Enabling Full Memory Tests

When the IDSM2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes how to enable full memory tests, and contains the following topics:

Resetting the IDSM2

If for some reason you cannot communicate with the IDSM2 through SSH, Telnet, or the switch session command, you must reset the IDSM2 from the switch console. The reset process requires several minutes. This section describes how to reset the IDSM2, and contains the following topics:

Catalyst Software

Step 3 Reset the IDSM2 to the application partition or the maintenance partition.

console> (enable) reset module_number {hdd:1 | cf:1}

Note If you do not specify either the application partition (hdd:1 the default) or the maintenance partition (cf:1), the IDSM2 uses the boot device variable.

Example

console> (enable) reset 3

2003 Feb 01 00:18:23 %SYS-5-MOD_RESET: Module 3 reset from console//

Resetting module 3... This may take several minutes.

2003 Feb 01 00:20:03 %SYS-5-MOD_OK: Module 3 is online.

console> (enable)

Caution If the IDSM2 is removed from the switch chassis without first being shut down, or the chassis loses power, you may need to reset the IDSM2 more than once. If the IDSM2 fails to respond after three reset attempts, boot the maintenance partition, and perform the instructions for restoring the application partition.

Cisco IOS Software

Use the hw-module moduleslot_numberreset {hdd:1 | cf:1} command in EXEC mode to reset the IDSM2. The reset process takes several minutes. The IDSM2 boots into the boot partition you specify. If you do not specify the boot string, the default boot string is used.

To reset the IDSM2 from the CLI, follow these steps:

Step 1 Log in to the console.

Step 2 Reset the IDSM2.

router# hw-module module module-numberreset {hdd:1 | cf:1}

Note If you do not specify either the application partition (hdd:1 the default) or the maintenance partition (cf:1), the IDSM2 uses the boot device variable.

Resets the IDSM2 into the partition specified by the boot device variable; if the boot device variable has not been set, the IDSM2 is reset to the application partition by default. Use the command show boot device module module_number to view the current setting of the boot device variable. cf:1 is the maintenance partition. hdd:1 is the application partition.

•hw-module module module_number shutdown

Shuts down the IDSM2 so that it can be safely removed from the chassis.

•reload

Reloads the entire switch.

•session slot module_number processor processor_number

Logs in to the console of the IDSM2 from the switch console.

•show boot device module module_number

Displays the current boot string for the specified module.

•show diagnostic result module module_number

Displays the results of the online diagnostics that were performed when the IDSM2 was last booted up.

Displays the state or traffic statistics of the IDSM2 management port.

•show ip access-lists

Displays the current access lists.

•show module [module_number | all | version]

Displays the installed modules, versions, and states.

•show monitor sessionsession_number

Displays the SPAN source and destination for the specified session.

•show running-config

Displays the configuration that is currently running.

•show spanning-tree active

Displays spanning tree state information for active interfaces only.

•show spanning-tree detail

Displays detailed spanning tree state information.

•show spanning-tree summary [totals]

Displays the high level state of spanning tree. Does not show interface specific information.

•show spanning-tree vlan vlan_number

Displays spanning tree state information for the specified VLAN. Includes list of ports on which those VLANs are forwarded or blocked.

•show startup-config

Displays the saved configuration.

•show vlan access-map

Displays all current VLAN access maps.

Configuration Commands

The following configuration commands are all performed in either global configuration mode, interface configuration mode, or VACL configuration submode:

•Global configuration mode

–boot device module number_number {cf:1 | hdd:1}

Sets the default boot device for the specified module. cf:1 boots to the MP and hdd:1 boots to the AP. The no option clears the boot string, which sets the default boot device to the AP.

–clock calendar valid

Sets the current calendar time as the switch time on bootup.

–clock summer-time zone recurring

Sets the switch to use the summertime settings.

–clock timezone zone offset

Sets the timezone for the switch/IDSM2.

–fabric switching-mode force busmode

Lets service modules that do not support packet recirculation, be forced into communicating through the chassis shared bus instead of the switched fabric. This forces the supervisor to handle the packet recirculation centrally and lets the service module communicate properly on VLANs meeting the conditions stated above. Other fabric enabled modules that are not affected by this problem continue to communicate through the switch fabric even if this command is enabled.

Includes (or excludes) the specified data port in the autostate calculation. When included, the switch virtual interface associated with an MSFC or WLAN port remains up while the module's data port is enabled. When excluded, the switch virtual interface associated with the MSFC or WAN port goes down if the specified module's data port is the only active port in the VLAN. The default is no include.

Configures the specified data port as a capture destination port. You must also set the allowed VLAN list through the intrusion-detection modulemodule_numberdata-port {1 | 2} capture command before any packets are captured. The IDSM2 must be in promiscuous mode.

Sets the allowed VLANs on the specified data port for packet capture. You must also enable capture mode on the data port through the intrusion-detection modulemodule_numberdata-port {1 | 2} capture command before traffic is captured on the data port.

–intrusion-detection modulemodule_numberdata-port {1 | 2} default

Restores the allowed VLANs, autostate, PortFast, port cost, and priority settings for the specified data port to the default values. This command is useful to remove any configuration from a data port before you add it to a channel group.

Adds the data port for the specified module to the channel group, which creates a port channel with the same numeric ID. If the channel group and port channel have not been created, this command creates it with an empty allowed VLAN list. The no option removes the data port from the channel group, restores the data port settings to their defaults, and deletes the port channel if it is empty.

Enables or disables PortFast on the data port. When PortFast is enabled, traffic is forwarded by the switch to the IDSM2 data port while the spanning tree is being built. When disabled, traffic is inhibited until after the tree is built and the backplane port is in the forwarding state. The default is disabled. The trunk option enables or disables PortFast when the data port is configured as a trunk (in promiscuous or inline VLAN pairs mode).

Sets the data port to trunking mode and sets the list of allowed VLANs on the data port for the specified module. The no option removes the data port from trunking mode and clears the list of allowed VLANs on the data port for the specified module.

Sets all data ports in the specified port channel to access mode and sets the access VLAN for the data ports. The no option clears the list of allowed VLANs on the data ports of all modules in the specified port channel.

–[no] intrusion-detection port-channelchannel_numberautostate include

Includes or excludes all data ports in the specified port channel from the autostate calculation. When included, the virtual switch interface associated with an MSFC or WLAN port remains up while the data port is enabled. When excluded, the virtual switch interface associated with the MSFC or WAN port goes down if the data port is the only active port in the VLAN. The data ports are excluded from the autostate calculations by default.

–[no] intrusion-detection port-channelchannel_numbercapture

Configures all data ports in the channel group as capture ports. The no option disables the capture function on all data ports in the channel group.

Sets the list of capture VLANs on the data ports of all modules in the specified port channel. This command does not set the channel group to capture mode. Use the intrusion-detection port-channelchannel_numbercapture command to set the channel group to capture mode. The no option clears the list of capture VLANs on the data ports of all modules in the specified port channel.

Enables or disables PortFast on the data ports in the port channel. When PortFast is enabled, traffic is forwarded by the switch to the data port while the spanning tree is being built. When disabled, traffic is inhibited until after the tree is built and the backplane port is in the forwarding state. Use the trunk option to enable or disable PortFast when the data port is configured as a trunk (in promiscuous or inline VLAN pair mode). Do not use the trunk option when the data ports are configured as access ports (inline mode). PortFast and PortFast trunk are disabled by default.

Sets the list of allowed VLANs on the data ports of all modules in the specified port channel. The no option clears the list of allowed VLANs on the data ports of all modules in the specified port channel.

Selects the spanning tree protocol (PVST+, MST, or Rapid-PVST+) to be used globally on the switch. The default is PVST. MST is not supported for the IDSM2. The no option restores the spanning tree mode to the default.